On 5/9/2014 4:54 PM, Florian Weimer wrote: > On 05/06/2014 04:05 PM, Xuelei Fan wrote: >> On 5/6/2014 9:36 PM, Florian Weimer wrote: >>> On 04/02/2014 01:19 AM, Xuelei Fan wrote: >>>> Here is the updated version: >>>> http://cr.openjdk.java.net/~xuelei/8034248/jep-csre-v01.txt >>>> >>>> Updated the description section and a few words so that it is easier to >>>> understand. >>> >>> I think the server side would benefit from an API which allows code to >>> directly supply the OCSP response to be stapled, perhaps as part of the >>> extended trust manager. >>> >> Typically, OCSP response is time-variant. Ideally, the response should >> be retrieved and updated internally, in time and automatically. For the >> first stage, I only want to implement the essential feature, and keep >> the footprint as small as possible. > > I think we need a non-blocking way to inject the OCSP response into > SSLEngine. > Yes. The delegated task can be used to get the OCSP response.
> And from a deployment perspective, we really need to provide something > that avoids making the OCSP request directly (or through an HTTP proxy). > Access to external resources is often quite restricted, and due to the > way OCSP has been specified, it is rather difficult to proxy it without > providing a generic web proxy service. > Really good point! In SunJSSE provider, the PKIXRevocationChecker can be used to get the OCSP response. However, this cannot apply to customized key/trust manager. I will consider to add new APIs to allow the supply of OCSp response, probably in key manager, in this JEP or an additional small enhancement later. Thanks, Xuelei
